[Samba] Possible PDC security hole re/machine accounts

Diego Rivera lrivera at racsa.co.cr
Mon Nov 25 04:12:00 GMT 2002 

Hey all!

I was fiddling with some LDAP stuff for fun's sake, and I ran into this
strange situation.  The situation occurred with both my stock Samba and
my modifications applied.

I had a Win2000 Advanced Server machine already joined into the domain
and working perfectly with PDC logons through the Samba server (v2.2.7,
LDAP-SAM backend, OpenLDAP 2.0.25).

While testing if the searches were being done as my new code specified,
I explicitly removed the machine account for the W2K server expecting
future logons to fail due to a missing/invalid machine account.  I would
then add the entry back to test if my code was finding stuff where it
needed to be found.

The strange thing is that even after the machine account was gone (and
the samba processes had been restarted multiple times), I was still able
to log in through the domain into that machine (W2K) - apparently
through the PDC as I was able to access shares on other machines that
should only be available to domain members.  I rebooted the computer
(W2K) just in case, and restarted samba in the process and I was still
able to log in.

Just in case, I changed back to "stock" LDAP Samba (in case it was a bug
in my code), and the behavior was still the same.

This seems to me like a HUGE PDC security hole, unless I'm
misinterpreting the way PDC machine accounts are handled, and what's
supposed to happen when a machine account is removed.

It's my understanding that no NT-class machine (NT,2K,XP) can utilize
resources within a PDC-protected domain if they haven't been joined into
it and have a valid machine account in the PDC.  If this is the case,
then this is clearly a BIG hole that needs to be plugged ASAP.

Anybody care to comment? Am I way out of whack here? Do I need to quit
programming and try my luck as a janitor? ;)

Best

Diego

PS/ The mods  I was working on is adding "add machine script" and "ldap
machine suffix" functionality to Samba, to allow for better handling of
machine accounts from an admin level.

More information about the samba mailing list